OASIS Web Services Security (WSS) TC
[http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss]
Delivering a technical foundation for implementing security functions such as integrity and confidentiality in messages implementing higher-level Web services applications. Includes WS-Security and token profiles (WS-Trust) for SAML, X.509, Kerberos, REL (Rights Expression Language), SWA (SOAP with Attachments) and Username.
ArchiMate Version 1.0
[http://www.opengroup.org/archimate/doc/ts_archimate/]
ArchiMate is an open and independent modelling language for enterprise architecture to support describtion, analyzes and visualization of architecture in and between business domains in an unambiguous way.
ArchiMate is one of the open standards hosted by the Open Group and based on the IEEE 1471 standard, and it is supported by different tool vendors and consulting firms.
Build Security In
[https://buildsecurityin.us-cert.gov/]
Build Security In (BSI) contains and links to best practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development. BSI content is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software development life cycle.
CBDI Wikispaces
[http://cbdi.wikispaces.com/]
CBDI Forum is the Everware-CBDI research capability providing independent guidance on best practice in SOA and related processes. Working with F1000 enterprises and governments the CBDI research team is progressively developing structured methodology and reference architectures for all aspects of SOA collectively named Service Architecture & Engineering or SAE.
Common Vulnerabilities and Exposures
[http://cve.mitre.org/]
CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."
Common Weakness Enumeration (CWE)
[http://cwe.mitre.org/]
International in scope and free for public use, CWE provides a unified, measurable set of software weaknesses that will enable more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code.
Critical Infrastructure Protection Committee (CIPC)
[http://www.nerc.com/~filez/cip.html]
CIPC coordinates NERC's security initiatives. The group is comprised of industry experts in the areas of cyber security, physical security, and operational security. CIPC reports to NERC's Board of Trustees. It is governed by an Executive Committee, whose members manage CIPC policy matters and provide support to CIPC's subcommittees and their working groups and task forces.
DataPortability.org
[http://www.dataportability.org/]
As users, our identity, photos, videos and other forms of personal data should be discoverable by, and shared between our chosen (and trusted) tools or vendors. We need a DHCP for Identity. A distributed File System for data. The technologies already exist, we simply need a complete reference design to put the pieces together.
Deliverables from the Basic Security Profile Working Group
[http://www.ws-i.org/deliverables/workinggroup.aspx?wg=basicsecurity]
The Basic Security Profile Working Group is developing an interoperability profile dealing with transport security, SOAP messaging security and other Basic-Profile-oriented Web services security considerations.
The Working Group is developing and selecting a set of usage scenarios and their component message exchange patterns to guide the profiling work. In addition, the Basic Security Profile Working Group will use the WS-I Security Plan Framework, particularly its collection of usage scenarios and use cases, and the WS-I Work Plan for Web Services Security Interoperability as input to its work.
DEMO Knowledge Centre
[http://www.demo.nl/]
DEMO is a methodology for the design, engineering, and implementation of organizations and networks of organizations. The entering into and complying with commitments is the operational principle for every organization. These commitments are established in the communication between social individuals, i.e. human beings.
Disruptive Ideas
[http://disruptiveideas.org/]
This site contains most, but not all, of the book Disruptive Ideas - 10+10+10=1000: the maths of Viral Change that transform organisations.
Ive done this so I could invite all managers and/or leaders in any organisation to provide some feedback on these ideas, new input and basically to co-write the second edition of the book. I would really like to learn from your experiences.
EEE Std 1471-2000 IEEE Recommended Practice for Architectural Description of Software-Intensive Systems -Description
[http://standards.ieee.org/reading/ieee/std_public/description/se/1471-2000_desc.html]
This recommended practice addresses the activities of the creation, analysis, and sustainment of architectures of software-intensive systems, and the recording of such architectures in terms of architectural descriptions. A conceptual framework for architectural description is established. The content of an architectural description is defined. Annexes provide the rationale for key concepts and terminology, the relationships to other standards, and examples of usage.
Federated Identity Standards
[http://webservices.sys-con.com/read/46566.htm]
Federated identity and the standards surrounding it can be very confusing. From Liberty to WS-* to SAML and sea to shining sea, federation has become a bit of a tangle. This article will sort through some of the acronym jungle.
Identity Governance Framework
[http://www.oracle.com/goto/igf]
The Identity Governance Framework (IGF) is an open initiative to address governance of identity related information across enterprise IT systems. This initiative includes key initial draft specifications contributed by Oracle to the community. These specifications provide a common framework for defining usage policies, attribute requirements, and developer APIs pertaining to the use of identity related information. These enable businesses to ensure full documentation, control, and auditing regarding the use, storage, and propagation of identity-related data across systems and applications.
Infocard (WinFX)
[http://msdn.microsoft.com/winfx/reference/infocard/default.aspx]
"InfoCard" is the code name for a WinFX component that provides the consistent user experience required by the identity metasystem. It is specifically hardened against tampering and spoofing to protect the end user's digital identities and maintain end-user control.
Internet Security Alliance (ISAlliance)
[http://www.isalliance.org/]
The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues. The ISAlliance represents corporate security interests before legislators and regulators, in so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.
ISO/IEC 10181-3:1996 (Access control framework)
[http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=18199]
Specifies a general framework for the provision of access control. The purpose of access control is to counter the threat of unauthorized operations involving a computer or communication system.
ISO/IEC 27000-family Information Security Standards
[http://www.iso27001security.com/]
Please note:
this website is independent of ISO/IEC.
Read the FAQ
Copyright © 2008 IsecT Ltd.
ISO27001 security
This website promotes the ISO/IEC 27000-family information security standards also known as ISO27k. The ISO27k standards provide generally accepted good practice guidance on Information Security Management Systems to protect the confidentiality, integrity and availability of the information content and information systems on which we all depend.
Liberty Alliance Project
[http://www.projectliberty.org]
The Liberty Alliance Project is an alliance of more than 150 companies, nonprofit and government organizations from around the globe. The consortium is committed to developing an open standard for federated network identity that supports all current and emerging network devices.
Metrics Center
[http://www.metricscenter.org/]
The Metrics Center is an open, electronic forum dedicated to enhancing the effective and efficient use of metrics to measure, analyze, and improve corporate governance, risk management, and compliance.
MIKE2.0 (Method for an Integrated Knowledge Environment)
[http://mike2.openmethodology.org/]
MIKE2.0 is a collaborative effort to help organisations who have invested heavily in applications and infrastructures, but haven't focused on the data and information needs of the business. We believe this has resulted in many of the business problems faced by organisations today around compliance, lack of customer insight, failed transformation programmes and the high cost of technology systems.
OASIS Customer Information Quality (CIQ) TC
[http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ciq]
The objective of the OASIS CIQ TC is to deliver a set of XML Specifications for defining, representing, interoperating and managing party information (including party relationships) that are truly open, vendor neutral, application independent and importantly "Global" (international).
OASIS Provisioning Services Technical Committee (PSTC)
[http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=provision]
The purpose of the OASIS Provisioning Services Technical Committee (PSTC) is to define an XML-based framework for exchanging user, resource, and service provisioning information. Among the standards developed is the Service Provisioning Markup Language (SPML).
OASIS Security Services (SAML) TC
[http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security]
SAML, developed by the Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. As its name suggests, SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application.
OASIS SOA Reference Model
[http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=soa-rm]
The OASIS Service Oriented Architecture TC will develop a Reference Model for Service Oriented Architecture. This is primarily to address SOA being used as a term in an increasing number of contexts and specific technology implementations. Sometimes, the term is used with differing - or worse, conflicting - understandings of implicit terminology and components. This Reference Model is being developed to encourage the continued growth of different and specialized SOA implementations whilst preserving a common layer of understanding about what SOA is.
OASIS Web Services Security (WSS) TC
[http://www.oasis-open.org/committees/wss/]
Delivering a technical foundation for implementing security functions such as integrity and confidentiality in messages implementing higher-level Web services applications
OpenGroup Identity Management Forum
[http://www.opengroup.org/idm/]
The Identity Management Forum focuses on promoting effective, open standards-based identity management, which allows the right information to reach the right people, and is a prerequisite for enabling Boundaryless Information Flow. The Forum members are active in a wide range of areas, from analyzing requirements to promoting best practices and education.
OpenID
[http://openid.net/]
This is a decentralized identity system, but one that's actually decentralized and doesn't entirely crumble if one company turns evil or goes out of business. An OpenID identity is just a URL. You can have multiple identities in the same way you can have multiple URLs. All OpenID does is provide a way to prove that you own a URL (identity). And it does this without passing around your password, your email address, or anything you don't want it to. There's no profile exchange component at all: your profiile is your identity URL, but recipients of your identity can then learn more about you from any public, semantically interesting documents linked thereunder (FOAF, RSS, Atom, vCARD, etc.).
OSIS Working Group
[http://osis.netmesh.org/wiki/Main_Page]
the OSIS project brings together heads of open-source projects related to digital identity, in order to enable those projects to work independently, but aligned, so overlap of work is avoided, and the parts developed by different projects can fit and to deliver an open-source identity selector as a joint effort of multiple projects, which is intended to be at least as functional, and fully compatible, with Microsoft's CardSpace (formerly known as InfoCard) identity selector that will be shipped with Windows Vista.
OWASP - The Open Web Application Security Project
[http://www.owasp.org/index.html]
The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software. Our open source projects and local chapters produce free, unbiased, open-source documentation, tools, and standards. The OWASP community also facilitates conferences, local chapters, articles, papers, and message forums. The OWASP Foundation, a not-for-profit charitable organization, ensures the ongoing availability and support for our work. Participation in OWASP is free and open to all, as are all the materials here.
Project ArisId
[http://www.openliberty.org/wiki/index.php/ProjectAris]
The ArisID API implements the CARML (Client Attribute Requirements Markup Language) and Privacy Constraints IGF specifications Liberty Alliance released earlier this year. ArisID demonstrates how CARML and Privacy Constraints policies may be used by developers to create declarative identity applications. The open source ArisID declarative approach defines what identity-enabled transactions can be performed to ensure applications only use identity information required to complete a transaction. This allows developers to build secure identity-enabled enterprise applications that are easily auditable and protect the personally identifiable information (PII), such as a social security number or credit information, of people engaging in enterprise identity-enabled transactions.
RFC 2828 - Internet Security Glossary
[http://www.faqs.org/rfcs/rfc2828.html]
This Glossary (191 pages of definitions and 13 pages of references) provides abbreviations, explanations, and recommendations for use of information system security terminology. The intent is to improve the comprehensibility of writing that deals with Internet security, particularly Internet Standards documents (ISDs).
RFC 2903 - Generic AAA Architecture
[http://www.faqs.org/rfcs/rfc2903.html]
This memo proposes an Authentication, Authorization, Accounting (AAA) architecture that would incorporate a generic AAA server along with an application interface to a set of Application Specific Modules that could perform application specific AAA functions. A separation of AAA functions required in a multi-domain environment is then proposed using a layered protocol abstraction. The long term goal is to create a generic framework which allows complex authorizations to be realized through a network of interconnected AAA servers.
RFC 2904 - AAA Authorization Framework
[http://www.faqs.org/rfcs/rfc2904.html]
This memo serves as the base requirements for Authorization of Internet Resources and Services (AIRS). It presents an architectural framework for understanding the authorization of Internet resources and services and derives requirements for authorization protocols.
RFC 3281 - An Internet Attribute Certificate Profile for Authorization
[http://www.ietf.org/rfc/rfc3281.txt]
This specification defines a profile for the use of X.509 Attribute Certificates in Internet Protocols. Attribute certificates may be used in a wide range of applications and environments covering a broad spectrum of interoperability goals and a broader spectrum of operational and assurance requirements. The goal of this document is to establish a common baseline for generic applications requiring broad interoperability as well as limited special purpose requirements. The profile places emphasis on attribute certificate support for Internet electronic mail, IPSec, and WWW security applications.
Role Based Access Control
[http://csrc.nist.gov/rbac/]
One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (also called role based security), as formalized in 1992 by David Ferraiolo and Rick Kuhn, has become the predominant model for advanced access control because it reduces the complexity and cost of security administration in large networked applications. Most information technology vendors have incorporated RBAC into their product line, and the technology is finding applications in areas ranging from health care to defense, in addition to the mainstream commerce systems for which it was designed.
Security Metrics
[http://www.securitymetrics.org/]
a community website for security practitioners. Securitymetrics.org offers a community blogging service and a members-only mailing list.
Security Officers Management and Analysis Project
[http://somap.org/]
One of the main goals of the Security Officers Management and Analysis Project (SOMAP.org) is to develop and maintain Open Source Information Security Risk Management tools and utilities. It is our strong belief that risk management processes and best practices need to be offered in an open kind of way.
Security Visualization
[http://www.secviz.org/]
As networks become ever more complex, securing them becomes more and more difficult. The solution is visualization. Using today's state-of-the-art data visualization techniques, you can gain a far deeper understanding of what's happening on your network right now. You can uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods.
Shibboleth
[http://shibboleth.internet2.edu/]
The Shibboleth software implements the OASIS SAML v1.1 specification, providing a federated Single-SignOn and attribute exchange framework. Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the Attribute information being released to each Service Provider.
SOMAP.org
[http://www.somap.org/]
One of the main goals of the Security Officers Management and Analysis Project (SOMAP.org) is to develop and maintain Open Source Information Security Risk Management tools and utilities. It is our strong belief that risk management processes and best practices need to be offered in an open kind of way.
The Architecture Tradeoff Analysis Method (ATAM)
[http://www.sei.cmu.edu/architecture/ata_method.html]
The SEI's Architecture Tradeoff Analysis Method (ATAM) is the leading method in the area of software architecture evaluation. An evaluation using the ATAM typically takes three to four days and gathers together a trained evaluation team, architects, and representatives of the architecture's various stakeholders.
The Information Architecture Institute
[http://iainstitute.org/]
The Information Architecture Institute is a 501(c)6 professional organization, operated by a dedicated, multi-national group of people. Volunteering our own resources, we aspire to build bridges to related disciplines and organizations. We invite you to join us in advancing the state of information architecture through research, education, advocacy and community service.
The Open Geospatial Consortium
[http://www.opengeospatial.org/]
The Open Geospatial Consortium, Inc.® (OGC) is a non-profit, international, voluntary consensus standards organization that is leading the development of standards for geospatial and location based services.
The Open Group Identity Management Forum
[http://www.opengroup.org/idm/]
The Identity Management Forum focuses on promoting effective, open standards-based identity management, which allows the right information to reach the right people, and is a prerequisite for enabling Boundaryless Information Flow. The Forum members are active in a wide range of areas, from analyzing requirements to promoting best practices and education.
The Open Group Security Forum
[http://www.opengroup.org/security/]
The Security Forum works to raise industry confidence levels by defining technical standards and guidelines to counter the whole range of security risks and vulnerabilities, and also addresses business and technology perspectives in its Manager's and Technical Guides.
TOGAF 9 Online HTML
[http://www.opengroup.org/architecture/togaf9-doc/arch/]
The Open Group Architecture Framework (TOGAF) is a framework - a detailed method and a set of supporting tools - for developing an enterprise architecture. It may be used freely by any organization wishing to develop an enterprise architecture for use within that organization.
WS-I.org
[http://www.ws-i.org/]
WS-I is an open industry organization chartered to promote Web services interoperability across platforms, operating systems and programming languages. The organizations diverse community of Web services leaders helps customers to develop interoperable Web services by providing guidance, recommended practices and supporting resources. All companies interested in promoting Web services interoperability are encouraged to join the effort.
WS-SecureConversation
[http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512]
The mechanisms defined in [WS-Security] provide the basic mechanisms on top of which secure messaging semantics can be defined for multiple message exchanges. This specification defines extensions to allow security context establishment and sharing, and session key derivation. This allows contexts to be established and potentially more efficient keys or new key material to be exchanged, thereby increasing the overall performance and security of the subsequent exchanges.
WS-Trust
[http://docs.oasis-open.org/ws-sx/ws-trust/200512]
[WS-Security] defines the basic mechanisms for providing secure messaging. This specification uses these base mechanisms and defines additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains.
XDI.ORG
[http://www.xdi.org/]
XDI.ORG is an international non-profit public trust organization governing open public XRI and XDI infrastructure. XRI (Extensible Resource Identifier) and XDI (XRI Data Interchange) are open standards for digital identity addressing and trusted data sharing developed at OASIS, the leading XML e-business standards body. XRI and XDI infrastructure enables individuals and organizations to establish persistent, privacy-protected Internet identities and form long-term, trusted peer-to-peer data sharing relationships.
Zachman Framework Associates
[http://zachmanframeworkassociates.com/]
Now that you have heard the theory from John come join us in being a Certified Enterprise Architect. Attend either our new 'Making Zachman Work' or our 'Enterprise Modelling Workshop' towards your Certification.
Framework2 is a schema - the intersection between two historical classifications that have been in use for literally thousands of years. The first is the fundamentals of communication found in the primitive interrogatives: What, How, When, Who, Where, and Why. It is the integration of answers to these questions that enables the comprehensive, composite description of complex ideas. The second is derived from reification, the transformation of an abstract idea into an instantiation that was initially postulated by ancient Greek philosophers and is labeled in Framework2: Identification, Definition, Representation, Specification, Configuration and Instantiation.
